Skip to main content

Redmine EUVDEUVD-2026-36424

| CVE-2026-1836 MEDIUM
Storing Passwords in a Recoverable Format (CWE-257)
2026-06-12 INCIBE GHSA-w8cj-56rx-3gpm
5.3
CVSS 4.0 · Vendor: INCIBE
Share

Severity by source

Vendor (INCIBE) PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.6 MEDIUM

Local access and prior victim login interaction required (PR:L, UI:R); credentials fully exposed upon access (C:H/I:H), no availability impact.

3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
4.0 AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (INCIBE).

CVSS VectorVendor: INCIBE

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 14:21 vuln.today

DescriptionCVE.org

The system stores the username and password from the login form after submitting the request. This could allow an attacker with access to the platform to return to the browser and view the login credentials.

AnalysisAI

Credential exposure in Redmine allows any local attacker with access to a previously-used browser session to recover plaintext login credentials stored by the application after form submission. The flaw (CWE-257) affects all tracked Redmine versions per NVD CPE data and represents a classic insecure credential storage issue. No public exploit has been identified at time of analysis, and exploitation is constrained to local attack vectors requiring prior user interaction.

Technical ContextAI

CWE-257 (Storing Passwords in a Recoverable Format) describes the root cause: Redmine's login form retains submitted credentials in a browser-accessible, recoverable state after the authentication request is processed - likely via browser autocomplete persistence, form cache, or equivalent browser storage mechanism. The CPE string cpe:2.3:a:redmine:redmine:*:*:*:*:*:*:*:* covers all versions of the Redmine project management application. The vulnerability is application-layer: Redmine fails to clear or protect submitted form data post-submission, leaving credentials readable within the browser environment rather than being discarded after use.

RemediationAI

A vendor patch is available per the INCIBE advisory at https://www.incibe.es/en/incibe-cert/notices/aviso/stored-credentials-redmine - administrators should consult this advisory and apply the patched Redmine release; the exact fixed version number is not independently confirmed from currently available data. As a compensating control pending patching, administrators should configure Redmine's login form with autocomplete='off' to prevent browser credential caching, though this depends on browser enforcement and may affect usability. Users on shared systems should manually clear browser-saved form data after each session. Organizations should enforce browser policies via GPO or MDM to disable credential autofill on sensitive internal applications. Restricting physical and session access to workstations used to access Redmine is the most effective short-term compensating control, with the trade-off of operational friction on shared infrastructure.

CVE-2014-1985 MEDIUM POC
5.8 Apr 11

Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Red

CVE-2021-29274 MEDIUM POC
6.1 Mar 29

Redmine 4.1.x before 4.1.2 allows XSS because an issue's subject is mishandled in the auto complete tip. Rated medium se

CVE-2021-30164 CRITICAL
9.8 Apr 06

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by lev

CVE-2017-15572 HIGH
7.5 Oct 18

In Redmine before 3.2.6 and 3.3.x before 3.3.3, remote attackers can obtain sensitive information (password reset tokens

CVE-2017-15577 HIGH
7.5 Oct 18

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles the rendering of wiki links, which allows remote attackers to obt

CVE-2017-15576 HIGH
7.5 Oct 18

Redmine before 3.2.6 and 3.3.x before 3.3.3 mishandles Time Entry rendering in activity views, which allows remote attac

CVE-2022-44030 HIGH
7.5 Dec 06

Redmine 5.x before 5.0.4 allows downloading of file attachments of any Issue or any Wiki page due to insufficient permis

CVE-2021-37156 HIGH
7.5 Aug 05

Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's

CVE-2021-31863 HIGH
7.5 Apr 28

Insufficient input validation in the Git repository integration of Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x b

CVE-2021-30163 HIGH
7.5 Apr 06

Redmine before 4.0.8 and 4.1.x before 4.1.2 allows attackers to discover the names of private projects if issue-journal

CVE-2015-8474 HIGH
7.4 Apr 12

Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine befor

CVE-2017-15575 HIGH
7.3 Oct 18

In Redmine before 3.2.6 and 3.3.x before 3.3.3, Redmine.pm lacks a check for whether the Repository module is enabled in

Share

EUVD-2026-36424 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy